Database Security Digest – January 2017

DataSunrise Blog

Here are the most noticeable cyber-attack and database security related news.

For MongoDB users, the year started with huge risks. More than 28,000 hijacked MongoDB databases are reported. MongoDB is a free and open-source NoSQL RDBMS. Attacks are performed by various groups using simple scripts exploiting misconfigured MongoDB deployment. Ransomware wipes the database and asks for $100-500 to get it back. The script is useful only for those MongoDB databases that have a default or easy-to-guess password on the administrator account and can be accessible via the Internet. There is also information about occurring Hadoop and CouchDB attacks performed by the same scheme. The common issue of victims is claimed to be default configuration that can allow access without authorization. The security of these platforms is not the issue, the problem occurred due to surprisingly many companies neglected the very basics of the database security. Companies that didn’t backup databases have lost their data for goods, as most of the attackers do not retrieve stolen data even after receiving the payment.

ESEA video gaming community has been breached. 1.5 million accounts are compromised including usernames, email addresses, hashed passwords, birthdates and phone numbers. The company didn’t store payment information and account passwords were encrypted with bcrypt.

Indian banks encountered a problem with the SWIFT, which is a system used to secure financial transactions. There were no money losses but it could have been used for fraudulent duplication of trade documents. Forensic audit is being performed.

Database Security

Oracle started this year with regular Critical Patch Update Release fixing 270 vulnerabilities across various platforms. The original risk matrix can be found here.

MySQL

The Critical Patch Update contains 27 security fixes for Oracle MySQL. 5 of these vulnerabilities can be exploited over a network without requiring user credentials.

CVE # CVSS Score Component Description
CVE-2015-7501 8.8 MySQL Enterprise Monitor: General Easily exploitable vulnerability that allows a low privileged attacker with the network access via TLS to take over the MySQL Enterprise Monitor component.
CVE-2016-0635 8.8 MySQL Enterprise Monitor: General Easily exploitable vulnerability that allows a low privileged attacker with the network access via TLS to take over the MySQL Enterprise Monitor component.
CVE-2016-0714 8.8 MySQL Enterprise Monitor: General Easily exploitable vulnerability that allows a low privileged attacker with the network access via TLS to take over the MySQL Enterprise Monitor component.
CVE-2016-5541 4.8 MySQL Cluster: NDBAPI Allows an unauthenticated attacker with the network access via multiple protocols to compromise the MySQL Cluster component. Successful exploitation can result in unauthorized update, insert or delete access of some of MySQL Cluster accessible data and unauthorized ability to cause partial denial of service of MySQL Cluster.
CVE-2016-5590 7.2 MySQL Enterprise Monitor: Agent Easily exploitable vulnerability that allows a high privileged attacker with network access via TLS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor.
CVE-2016-6304 7.5 MySQL Enterprise Monitor: General Easily exploitable vulnerability that allows an unauthenticated attacker with network access via TLS to compromise the MySQL Enterprise Monitor component. Successful exploitation can result in unauthorized ability to cause hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor component.
CVE-2016-8318 6.8 MySQL Server: Encryption Easily exploitable vulnerability that allows a low privileged attacker with the network access via multiple protocols to compromise MySQL Server. Exploitation requires another party apart from the attacker. Attacks may significantly impact additional products. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2016-8327 4.4 MySQL Server: Replication Difficult to exploit vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3238 6.5 MySQL Server: Optimizer Easily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3243 4.4 MySQL Server: Charsets Difficult to exploit vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3244 6.5 MySQL Server: DML Easily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3251 4.9 MySQL Server: Optimizer Easily exploitable vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3256 6.5 MySQL Server: Replication Easily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3257 6.5 MySQL Server: InnoDB Easily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3258 6.5 MySQL Server: DDL Easily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3265 5.6 MySQL Server: Packaging Difficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Exploitation requires another interaction apart from the attacker. Successful exploitation grants an unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3273 6.5 MySQL Server: DDL Easily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3291 6.3 MySQL Server: Packaging Difficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Exploitation requires another party apart from the attacker. Successful exploitation can result in takeover of MySQL Server.
CVE-2017-3312 6.7 MySQL Server: Packaging Difficult to exploit vulnerability that allows a low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Exploitation requires another party apart from the attacker. Successful exploitation can result in takeover of MySQL Server.
CVE-2017-3313 4.7 MySQL Server: MyISAM Difficult to exploit vulnerability that allows a low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful exploitation grants an unauthorized access to critical data or complete access to all MySQL Server accessible data.
CVE-2017-3317 4.0 MySQL Server: Logging Difficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. The attack requires another interaction apart from the attacker. Successful exploitation allows an unauthorized user to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3318 4.0 MySQL Server: Error Handling Difficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. The attack requires another interaction apart from the attacker. Successful exploitation grants an unauthorized access to critical data or complete access to all MySQL Server accessible data.
CVE-2017-3319 3.1 MySQL Server: X Plugin Difficult to exploit vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation can result in unauthorized read access to a subset of MySQL Server accessible data.
CVE-2017-3320 2.4 MySQL Server: Encryption Easily exploitable vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation grants an unauthorized read access to a subset of MySQL Server accessible data.
CVE-2017-3321 3.7 MySQL Cluster: General Difficult to exploit vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful exploitation grants an unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster.
CVE-2017-3322 3.7 MySQL Cluster: NDBAPI Difficult to exploit vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful exploitation grants an unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster.
CVE-2017-3323 3.7 MySQL Cluster: General Difficult to exploit vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful exploitation grants an unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster.

 Oracle Database Server

This Critical Patch Update contains 5 new security fixes for Oracle Database Server. 3 of them can be remotely exploitable without authentication.

CVE # CVSS Score Component Description
CVE-2017-3240 3.3 RDBMS Security Easily exploitable vulnerability that allows a low privileged attacker having Local Logon privilege with logon to the infrastructure where RDBMS Security executes to compromise the RDBMS Security component. Successful exploitation can result in unauthorized read access to a subset of RDBMS Security accessible data.
CVE-2017-3310 9.0 OJVM Easily exploitable vulnerability that allows a low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. The attack may significantly impact additional products and it requires additional interaction apart from the attacker. Successful exploitation can result in takeover of OJVM.
CVE-2015-1791 5.6 Oracle Secure Backup: OpenSSL Difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTPS to compromise OpenSSL. Successful exploitation can result in unauthorized update, insert or delete access to some of OpenSSL accessible data, unauthorized read access to a subset of OpenSSL accessible data, and unauthorized ability to cause a partial denial of service of OpenSSL.
CVE-2016-1903 9.1 Oracle Secure Backup: PHP Easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise PHP. Successful exploitation can result in unauthorized access to critical data or complete access to all PHP accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PHP.
CVE-2015-3253 9.8 Oracle Big Data Graph Easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise the Spatial component. Successful exploitation can result in takeover of the Spatial component.

Pivotal Greenplum Database 4.3.11.3

A new release of Greenplum Database contains the following changes:

  • The issue of gptransfer occurring when copying tables with multiple distribution keys has been resolved.
  • The query planner might have generated a plan that returned incorrect results for some windows queries. The issue has been resolved.
  • Fails of gpstart/gpstop utilities after a server reboot have been fixed.
  • Performance enhancements of Query Optimizer, Query Planner, Query Execution, Transaction Management, S3 External Tables.
  • Other enhancements and changes regarding the following scripts: analyzedb, Backup, Restore, recoverseg, gptransfer.
Database Security Digest – December
Database Security Digest – November
Database Security Digest – October